Physicians have a lot going on. Between the pressures of clinical and administrative responsibilities, sometimes the only way to keep everything together is with a to-do list. Unfortunately, it can often feel as though some items never come off that list. Often, the bigger a project sounds, the more likely it is to sit on that list for months—or even years. Revising or implementing a compliance plan can be one of those big projects that tends to linger.
Although compliance programming takes a lot of resources or may already be happening informally, all physicians should review their activities to ensure they are fulfilling their obligations under the law, as well as to their practice.
Whether you already have a compliance program, are looking to start one, or need to review an old compliance program, this article outlines why compliance programs are important, what must be in your compliance program, and how to interact with your compliance program once it’s in place.
The Feds Require It
The Affordable Care Act (ACA) requires all providers to establish a compliance program as a condition for participation in federal healthcare programs such as Medicare and Medicaid. The ACA also requires the program to contain certain core elements—although confusion exists about the authority used to create the core elements. That said, the seven core elements summarized below are generally accepted across the healthcare industry and should be included in your compliance program:
- Written policies and procedures;
- Compliance leadership and oversight;
- Training and education;
- Effective lines of communication;
- Enforcing of standards;
- Risk assessment, auditing, and monitoring; and
- Response and corrective action initiatives.
A General Compliance Program Guidance (GCPG) document, published by the U.S. Department of Health and Human Services’ Office of Inspector General (OIG) in 2023, provides a crash course in how to create your compliance program (GCPG. https://www.enttoday.org/wp-content/uploads/2025/03/HHS-OIG-GCPG-202335802555.1.pdf). In addition to providing substantial background on the seven core elements, the document provides information on important healthcare laws and how different-sized organizations can scale their compliance programs on the basis of their available resources.
The OIG is also phasing in Industry Segment-Specific Compliance Program Guidance (ICPG) documents. In 2024, the OIG published its first ICPG, focused on nursing facilities. In 2025, OIG anticipates publishing three more ICPGs, focused on Medicare Advantage, hospitals, and clinical laboratories (Nursing Facility ICPG. https://www.enttoday.org/wp-content/uploads/2025/03/nursing-facility-icpg35802556.1.pdf). Check the OIG’s website (https://oig.hhs.gov) for updates. In addition to these guidance documents, a healthcare lawyer can play a crucial role in reviewing the contents of a compliance program to advise on its effectiveness.
Setting up a compliance program is only the first step. To meet the requirement of establishing a compliance program, providers must be able to demonstrate their adherence to it. In other words, providers need to walk the walk and not just talk the talk. Compliance programs are a living document, and they evolve over time.
The compliance concerns of 2000 look quite different from the concerns of 2025. Do not let this overwhelm your practice or organization into inaction. — Emily A. Johnson, JD
In addition to being a requirement for participation in federal healthcare programs, compliance programs can be used to mitigate sanctions imposed on providers as a result of a violation of federal laws, such as the Anti-Kickback Statute or the Physician Self-Referral Law (casually referred to as the Stark law). Under the U.S. Federal Sentencing Guidelines, the existence of an effective compliance program has the potential to reduce the culpability of the provider organization when determining sanctions for that organization.
The U.S. Federal Sentencing Guidelines document mirrors the seven core elements published by the OIG in describing the minimum requirements for a compliance program. If the provider organization is found to have exercised due diligence in detecting and preventing criminal conduct, and to have promoted a culture of compliance by executing these seven elements, the organization may experience leniency from the sanctioning agency.
Where to Start?
Between maintaining the ability to participate in Medicare and Medicaid and protecting your organization from possible sanctions, it’s clear that compliance programming should be taken seriously. But where should you start? Here are three tips to get your compliance programming on track.
First, if you are new to compliance programming, read the GCPG. You need a framework for compliance programming to effectively establish a foundation that includes the seven core elements.
Second, identify the individuals who will be responsible for the compliance program. Depending on the size of the organization, this may be one person, or it may be an entire department. It may even be an independent contractor. One of the key features of the seven elements is the personnel used to design and execute the compliance program. For example, the OIG stresses the need for a compliance officer, a compliance committee, and the involvement of a board of directors or the CEO.
Third, realize there is no finish line in compliance. Laws change, organizations change, and healthcare changes. The compliance concerns of 2000 look quite different from the concerns of 2025. Do not let this overwhelm your practice or organization into inaction. Understand that compliance will be a stepwise process. Although the work of compliance never ends, organizations gain compliance skills over time. Engaging with a healthcare lawyer can assist your organization in keeping up with changing regulatory landscapes.
Taking control of your compliance program now could pay dividends later. As stated previously, the OIG has not officially mandated that its seven core elements be implemented to meet the requirements of a compliance program; however, these elements have been widely adopted by the industry. If the OIG eventually mandates specific elements of compliance programming, these seven core elements will likely be required. As such, it is prudent to take advantage of this voluntary period to roll out your compliance program in a controlled manner.
If a physician eventually plans to sell their practice to or merge with another organization, compliance will play a large role in the transaction. As part of the transaction, many purchasers directly ask if a written compliance program is in place at the organization. Additionally, as part of a purchaser’s due diligence process, instances of noncompliance with federal healthcare laws may be uncovered. This could lead to delays in the transaction, a reduction in purchase price, or even the termination of the transaction. An effective compliance program could prevent some of these potential problems.
Final Thoughts
Although very few people find the thought of compliance programming exciting, it is an important facet of the healthcare industry. In addition to providing valuable protections for your organization, it is simply the right thing to do. By conducting your practice’s business in a compliant manner, you play your part in ensuring that the healthcare system can provide high-quality, ethical care to all patients.
So, as you write up your next to-do list, keep compliance programming near the top.
Ms. Johnson is a nationally recognized attorney, author, and speaker with McDonald Hopkins LLC. Email her at ejohnson@mcdonaldhopkins.com.
Reprinted from The Rheumatologist with permission from the American College of Rheumatology.
Leave a Reply